The captcha stuff is customizable, but yeah, you have to pay. The issue is that they have, in the past, shipped breaking changes in their default rules that made huge messes, and a huge portion of their customer base just uses the defaults. They've gotten better at this, but again, there's nothing other than their testing to prevent it in the future.

Also based on experiences doing infosec stuff, I can also say that there's ABSOLUTELY a huge portion of "admins" that think more security is more betterer, and configure shit in a way that breaks so many things then get mad that they did that; there's a LOT of depth you have to understand to configure something like Cloudflare's WAF properly, and way too many admin types just don't fully understand the impact of any particular thing is and get way way way waaaay too restrictive and then get mad that it breaks things.

The SSL offload requires you to trust your vendor, and agree that the odds that they're doing anything suspicious is likely zero: their business would damn near instantly implode if they got caught. But, again, you're trusting policy and procedure to keep people out of data.

I think there's a LOT of bias against "MITM" meaning "malicious", and Lemmy ranging from very left to leftish, a huge bias against big tech (which, imo, is 100% warranted and totally earned by decades of shitty behavior) which shows up as a 'Cloudflare is bad because the MITM your traffic' lacking the nuance that, well, every WAF and a heck of a lot of caching CDNs do that because that's how it works.